Hey Everyone.. LOTS of updates here and some of them are VERY important. Please at least scan through this to see whats new. -109- users on the list and growing faster and faster! --David -- 02/11/99 Placed short header names in each [Section] *Sent name. Makes topicseasier to find. Update* [Section 2] Added the note that there is now a description of how packet and statefully inspected firewalls work. [Section 3] Changed the "Future Features" section to group similar taskes. ie. Networking, hardware, etc. Also added a future feature to do more GUI help. [Section 3] Added a backup URL for IPCHAIN's IPmasqadm since Juanjo's main ML.ORG site is now 404. [Section 5] Indented all the Security URLs, added L0pht, Rootshell, etc URLs. [Section 5] Updated the "How firewalls work" flow diagram to include the FORWARDING rule. [Section 10] Added a little blurb on what are the differences between packet and statefully inspected firewalls work. [Section 10] Doh! The explict OUTPUT firewall ruleset was matching the wrong ports for the MASQ and NON-MASQ strong ruleset! This isn't a super huge issue but it IS sloppy!!! For example: From: #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D $securehost/32 ftp ftp-data ssh pop-3 $unprivports To: #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports [Section 10] Fixed the DHCP rules to reflect the port names of "bootps" and "bootpc" vs. ports 67 and 68. Makes things more readible. [Section 10] Made sure the /etc/services file has: -- bootps 67/udp # bootp server bootpc 68/udp # bootp client -- [Section 27] Recently found out on the BRU mailing list that when you use BRU's software compression or your tape drive's hardware compression, you should set the tape drive's capacity setting to "0"! [Section 29] Added a little section on how to test Bru's tape backups * VERY IMPORTANT* [Section 29] Under the RPM testing section, added another RPM test with a double -vv to really look at a given RPM. [Section 50] Made Lynx permissions recommentations for Lynx users running older versions than 2.8.1. [Section 50] Noted that though not included in Slackware or Redhat, the ProFTPd daemon included with Debian Linux is vunerable to the same FTP root exploit that Wu-ftpd is vunerable. [Section 50] 02/10/99 Updated the Feature Sets to reflect the support of multiple Internet domains on one box for DNS and EMAIL [Section 3] Changed the default permissions on Redhat's /bin/rpm from 755 to 700. Normal endusers shouldn't have access to something like this. [Section 7] Clarified that users should ADD the specific lines to the /etc/syslog.conf file and not replace the exitsting file. [Section 9] Added both a Slackware and Redhat version of the /root/logit script [Section 9] Cleaned up the "supporting more than one Internet DNS Domain" section and fixed some formatting issues. [Section 24] Cleaned up the "supporting more than one Internet Email Domain" section and fixed some formatting issues. [Section 25] Moved the RPM installation pre-installation tests to [Section 50] since you should follow these simple recommendations EVERY TIME before you install an RPM [Section 25] Upgrade the "run-rpmwatch" script to v1.1. This added "rm -f rh-errata.txt" to the end of the script to clean up the lose tmp files. [Section 43] Moved from [Section 25] a pre-RPM TEST list to make sure that the user is aware of any files that will be overwritten/DELETED, etc. [Section 50] Installed an RPM to fix security: wu-ftpd-2.4.2b18-2.1.i386.rpm [Section 50] 02/09/99 Added a few Future Feature sets: - Mail Backup: Setup MX email backup - IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone - Dial Backup: Add analog modem dial backup when the ADSL/Cablemodem goes down - CODA: Replace NFS support with CODA - Implement a new 2.2.x kernel [Section 3] Added a very detailed description and diagram of how any TCP/IP packet firewall (including IPFWADM and IPCHAINS) operates. [Section 10] Cleaned up area between the MASQ vs. NON-MASQ rc.firewall rulesets [Section 10] Updated the MASQ and NON-MASQ rc.firewall to v2.90 - Changed the default policy for INPUT/OUTPUT/FORWARD from DENY to REJECT. This is actually just a symantic issue since I was REJECTing all non-allowed packets at the end of each INPUT, OUTPUT, and FORWARD section. [Section 10] Detailed out how to support muliple Internet domain names from one DNS server. Simple! [Section 24] Added a note that if you are going to support email for multiple Internet domains on this one box, you need to add those domain names to the /etc/sendmail.cw file. [Section 25] Added a rough tape drive benchmark output in the /usr/local/sbin/bru-fullbackup file. [Section 29] Moved a bunch of old Updates to the old Updates URL given at the top of this section. [Section 100] 02/08/99 Updated the "ssh" profile to include the -C and -P options to enable Compression and to disable rsh (tcp ports > 1024) support. This would break the ability to SSH out of the rc.firewall ruleset. [Section 30] 02/07/99 Updated the MASQ and NON-MASQ rc.firewall to v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and added a #ed out rule for allowing HTTP traffic directly to the Linux box from the Internet. [Section 10] 02/04/99 Fixed a typo from /var/adm/log.to.ttys to /var/log/log.to.ttys [Section 9] -- .----------------------------------------------------------------------------. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !---- ----! `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----' --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]